plaintext 21 lines · 1 tab

Host firewall rules with nftables for default deny networking

Kai Nakamura Apr 2026
1 tab
table inet filter {
  chain input {
    type filter hook input priority 0;
    policy drop;

    ct state established,related accept
    iif lo accept
    tcp dport { 22, 80, 443 } accept
    ip protocol icmp accept
  }

  chain forward {
    type filter hook forward priority 0;
    policy drop;
  }

  chain output {
    type filter hook output priority 0;
    policy accept;
  }
}
1 file · plaintext Explain with highlit

I prefer a default-deny stance and then open only what the host actually serves. nftables is flexible enough to express that clearly without giant unreadable rule sets. A short explicit policy ages better than a sprawling inherited firewall script nobody trusts.

Share this code

Here's the card — post it anywhere.

Host firewall rules with nftables for default deny networking — share card
Link copied